Keeping an Organisation Secure | News

Keeping an Organisation Secure

I love security and I love hacking. In 1977, my school had a mainframe computer, one of the first mainframes anywhere Australia, and I hacked into it. I got into such trouble, but I found hacking interesting and exciting… even though I was banned from the mainframe for the rest of my school days!


Fast forward to 2010 and I was using my powers for good, undertaking some consulting work for a major bank that was losing over $20m each year to fraudulent transactions via their internet banking channel. We proposed a solution to install a robust two-factor authentication process that would have made it virtually impossible for anybody to steal another’s identity, or steal somebody’s credentials and login as them. The return-on-investment was less than twelve months but they rejected the idea on the basis that the customer experience they were trying to create was more important than security. In 2018 customer experience is still top of mind but security is now intrinsic to that experience. It’s not a case of either/or.


Today, technology is advancing quickly and there are much better hackers than me, but I still know what it takes to keep an organisation secure.


The first line of defence is actually social, not technical. Social engineering means making sure that staff do not fall for things like phishing scams. They need to be made aware of people trying to imitate other people and trained to not give out their passwords, or allow someone to follow them into a building. Even today, these things are still the foundation of security. I love the social engineering component that helps ensure that from a security perspective, when an organisation is being attacked that all of its employees, staff and systems are kept safe. There are ever increasing amounts of technology available, with incredible firewalls, artificial intelligence responses and antivirus software. There are many different solutions to protect a network but the challenge remains human. Individuals either mis-configure systems, or they simply do something that they shouldn’t do, like having ‘password’ as their password.


The second area, human intelligence, is also social but in a different way. Human intelligence gathering requires a collective effort. At Security in Depth we have a network of 9,000 individuals globally that we communicate with about what they’re experiencing and where they see emerging cybersecurity challenges. Human intelligence gathering is cumulative; we access a whole range of information, local and global, to better understand ongoing threats. Used well, collective intelligence forms a kind of ‘global shield’ that can raise awareness and improve defence against a common threat.


The third area is governance. Organisations must implement risk management governance processes to manage their security frameworks, instill best practice amongst employees and conduct audits regularly. In a connected world, of particular importance is how an organisation integrates their systems and processes with other companies. One of the challenges today is that while an organisation might be secure internally, a company that they exchange data with might not be secure and that exposes a risk. A talented hacker can enter one company via another company’s systems in order to steal data or introduce a virus. Risk management processes, and particularly the protocols for integrating with a third party, are vital. These processes might include things like penetration testing, security testing, security audits and code reviews of the third party’s platforms.


Finally, there’s incident response to limit the impact when there is a security incident and preemptive simulated attacks, known as red-teaming, so organisations can see how they would respond to a real attack. Red-teaming can be a fun but alarming exercise. Through a planned activity, organisations get to see what damage could be done. It goes beyond penetration testing to see if physical networks can be hacked. It might be through wifi, an office walk-in, finding open internet cables, doing USB drops, phishing or other things, just to see how deeply the network can be penetrated and most importantly how it responds and what changes need to be made.


Those four things are in many ways the basics. The challenge is that the weakest link is going to be the individual. Technology is evolving to a point where applications and products will be secure. Historically, security wasn’t built into many of the applications we all use. Software was built for a defined purpose, whether it be for creating documents or calculating financial forecasts; it wasn’t thought of as a tool to spread malicious content. Today, software and hardware is being built from a security perspective. The technology will continue to change and become more secure over the coming years; applications will become less vulnerable, security ‘patches’ will reduce over time, and technology will become easier to manage. The challenge will remain human, as you can have the greatest piece of technology, but if a laptop is left open and somebody can easily access it, they potentially have the keys to the kingdom. Email and other parts of the network can be easily accessed.


At Security in Depth we have the motto ‘trust but validate’. If an individual is utilising an unknown source, an unknown IP address, an unknown computer, we recommend two factor authentication – something you have and something you know; a password is still required, but it needs to be validated by an RSA code for example. That’s a good starting point and having systems that are able to recognise where traffic is coming from and being able to determine whether or not this is normal or abnormal traffic is a great help. Every organisation is vulnerable at some point but our mission is to provide solutions and products that enable organisations, everywhere around the world, to be more secure and to reduce their risk.